pgpfan:forward_secrecy
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
pgpfan:forward_secrecy [2020/07/14 16:45] – [Forward Secrecy] Better organization b.walzer | pgpfan:forward_secrecy [2022/03/19 21:50] (current) – Redundant, poorly worded. b.walzer | ||
---|---|---|---|
Line 1: | Line 1: | ||
======Forward Secrecy====== | ======Forward Secrecy====== | ||
- | The PGP protocol is sometimes criticized because it lacks a feature called [[wp> | + | The PGP protocol is sometimes criticized because it lacks a feature called [[wp> |
- | Some process is used to come up with a temporary key known only to you and your correspondent (e.g. [[wp> | + | * Some adversary records your encrypted messages |
+ | * Optionally the adversary can attempt | ||
+ | * They then attack | ||
- | The first important point is that forward secrecy depends on the integrity of the encryption. If someone manages to break the encryption on your old messages they will still get access to them. | + | So starting out we are talking about a two phase attack |
- | The second important point comes from the first. Since forward secrecy depends | + | If we are talking about OpenPGP over email then creating an archive of your encrypted messages |
- | =====Message Archives===== | + | So a practical attack would involve the compromise of not just your end point but your email server as well. The attacker would have to first compromise your email server, wait to build up an archive of your messages and then compromise your end device to get the secret key material to decrypt their archive. It would make more sense for an attacker to go for your end device in the first place and end up with the same material, sooner. |
- | If someone gains access to one of your private PGP encryption keys then they can decrypt all the archived email that was originally sent to the associated identity. A system with forward secrecy | + | Email messages are normally kept indefinitely and that tends to be the default even on systems that provide |
- | There is no practical security difference between PGP and a system | + | Reduced to the essence: forward secrecy is where you delete the encryption key protecting some encrypted data to prevent that key from falling into the possession of an attacker that already has that encrypted data. There is nothing preventing any system |
- | =====Post-Compromise===== | + | Hardly anyone ever does forward secrecy with OpenPGP. Why not? It's easy to do in a technical sense and would not cause your correspondents to have to reverify your identity. |
- | If someone gains access to one of your private PGP encryption keys then they can then decrypt any intercepted email sent to the associated identity. If someone gains access | + | In 2020 a company called Cellebrite announced that they had a specific Signal Messenger data interpretation facility that would be useful in the event that their forensic box broke into the smartphone that Signal was running on(([[https:// |
- | This only works for the case where the access is only a copy of your private key. If your opponent gets write access to your device they can probably leverage that into access to your messages going forward. Gaining access to a pass-phrase protected PGP private key requires at least enough access to install a key-logger (or equivalent) which implies write access. The ability to impersonate you would normally give them at least partial access to your discussions. | + | | ^ Signal |
+ | | Archived Network Messages | Protected | Protected | ||
+ | | Messages Saved on Phone | Revealed | ||
- | A system | + | So the encrypted email actually ends up providing a better result for the user. That is because it is possible to lock up the encryption key more securely |
- | =====Pre-Compromise===== | + | In general the value of forward secrecy decreases as the protection of the secret key material increases. So it might be more important for situations like instant messaging where it is harder to protect the secret key material(([[em: |
- | This assumes that there is someone with enough foresight (and [[starttls|ability]]) to record your encrypted messages off the network or your email server. That message archive can be decrypted if they later gain access to your PGP private key. That archive would have been useless in the case of a forward secrecy supporting system as the decryption key(s) would of been destroyed. | + | [[pgpfan: |
- | + | [[em:index|Encrypted Messaging | |
- | This is the advantage of forward secrecy. | + | |
- | + | ||
- | =====Conclusions===== | + | |
- | + | ||
- | Forward secrecy: | + | |
- | + | ||
- | * provides no real protection after a compromise. | + | |
- | * provides no protection of archives. | + | |
- | * is rendered pointless for messages that are archived. | + | |
- | + | ||
- | The addition of forward secrecy to a protocol increases the complexity of that protocol. In the case of something like encrypted email where archived messages almost always exist it wouldn' | + | |
- | + | ||
- | [[pgpfan:index|PGP FAN index]] | + | |
pgpfan/forward_secrecy.1594745122.txt.gz · Last modified: 2020/07/14 16:45 by b.walzer